Skip to content

[Bug] Using the CLI to export esql (ES|QL) rules from Kibana results in ValidationError if using metadata according to documentation #4575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
frederikb96 opened this issue Mar 27, 2025 · 2 comments
Open

[Bug] Using the CLI to export esql (ES|QL) rules from Kibana results in ValidationError if using metadata according to documentation #4575

frederikb96 opened this issue Mar 27, 2025 · 2 comments
Labels
bug Something isn't working community Team: TRADE

Comments

@frederikb96
Copy link
Contributor

frederikb96 commented Mar 27, 2025
edited
Loading

Describe the Bug

The CLI python -m detection_rules kibana export-rules doesnt work with a simple esql rule, where metadata is set according to official documentation. It always leads to:

marshmallow.exceptions.ValidationError: {'rule': [ValidationError({'type': ['Must be equal to eql.'], 'language': ['Must be equal to eql.']}), ValidationError({'_schema': ["Rule: test_fberg_esql contains a non-aggregate query without metadata fields '_id', '_version', and '_index' -> Add 'metadata _id, _version, _index' to the from command or add an aggregate function."]}), ValidationError({'type': ['Must be equal to threshold.'], 'threshold': ['Missing data for required field.']}), ValidationError({'type': ['Must be equal to threat_match.'], 'threat_mapping': ['Missing data for required field.'], 'threat_index': ['Missing data for required field.']}), ValidationError({'type': ['Must be equal to machine_learning.'], 'anomaly_threshold': ['Missing data for required field.'], 'machine_learning_job_id': ['Missing data for required field.']}), ValidationError({'type': ['Must be equal to query.']}), ValidationError({'type': ['Must be equal to new_terms.'], 'new_terms': ['Missing data for required field.']})]}

To Reproduce

  1. Create a simple esql rule:

Image

  1. Try to export it with the CLI and kibana export-rules
  2. Leads to ValidationError

Expected Behavior

No ValidationError since esql metadata is set according to documentation.

Edit: I fixed this via PR where we validate the order and allow any order of metadata

Screenshots

No response

Desktop - OS

None

Desktop - Version

No response

Additional Context

No response
@frederikb96 frederikb96 added bug Something isn't working Team: TRADE labels Mar 27, 2025
@frederikb96 frederikb96 mentioned this issue Mar 28, 2025
Open
5 tasks
@frederikb96
Copy link
Contributor Author

Can be closed via #4579 once its merged

@frederikb96 frederikb96 changed the title [Bug] Using the CLI to export esql (ES|QL) rules from Kibana results in ValidationError [Bug] Using the CLI to export esql (ES|QL) rules from Kibana results in ValidationError if using metadata according to documentation Mar 28, 2025
@eric-forte-elastic
Copy link
Contributor

Just adding for context for reviewers on the ^ PR. This issue can be more easily tested via DaC commands (loading just a specific rule to the rule loader), but the fundamental issue is with the ES|QL validation for rules passing schema validation rather than any DaC command.

Another testing example illustrating issue:

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Team: TRADE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frederikb96 @eric-forte-elastic